Presentation is loading. Please wait.

Presentation is loading. Please wait.

SUDS: An Infrastructure for Creating Bug Detection Tools

Published byHamdani Budiono Modified over 5 years ago

Similar presentations

Presentation on theme: "SUDS: An Infrastructure for Creating Bug Detection Tools"— Presentation transcript:

1 SUDS: An Infrastructure for Creating Bug Detection Tools
Eric Larson October 1, 2007 Seattle University

2 What is SUDS? SUDS is an infrastructure to facilitate the construction of software bug detection tools. SUDS primarily used to create dynamic bug detection tools. Contains static analysis phases used to improve / focus dynamic bug detection. At the heart of SUDS is a C to (instrumented) C converter.

3 Program (preprocessed
Overview of SUDS Program (preprocessed C source code) SUDS AST Parse Simplify Simplified AST Analyze Analysis Results Instrumentation Model Instrument Instrumented Source Code Instrumented Executable Link

4 Static Analysis Standard compiler analyses Tainted propagation
Control flow graph / call graph Data flow analysis (mostly intraprocedural) Flow-sensitive pointer analysis (Hind et. al.) Tainted propagation Propagates tainted attribute of variables (forward) User can modify infrastructure to change what tainted means Program slicing Propagates interesting uses backwards User can modify slicing criterion (can be all statements that have this property or characteristic) Context-insensitive

5 Instrumentation Direct SUDS where to add instrumentation.
Add instrumentation based on statement, expression, or event. Support functions allow users to easily pass parameters into the instrumentation functions. Write the instrumentation routines. Can use provided state table: allows the instrumented program to keep track of additional state when the program is running. Can take advantage of results from static analysis phases.

6 Example of how SUDS is used
Goal: To detect buffer overflows for array references that uses data that came from input. Tainted analysis: All input data is tainted. Program slicing: All data that can lead to an array reference is in the slice. Instrumentation: Track all arrays and their sizes. Track pointers to arrays. Track integers that are tainted and in the slice. At array references, check for bugs.

7 Results: Finding Bugs Program SUDS SPLINT VALGRIND Bugs Same Bugs
New Bugs anagram 2 ft ks 3 yacr2 betaftpd 1 gaim ghttpd openssh didn't work thttpd

8 Results: Performance 0.06 1.88 31.33 3.15 52.50 1.32 22.00 58.1% 0.18
Program Base line Valgrind SUDS Unoptimized SUDS Optimized Perf. Improve % Time Ratio anagram 0.06 1.88 31.33 3.15 52.50 1.32 22.00 58.1% ft 0.18 5.92 32.89 5.32 29.56 0.88 4.89 83.5% ks 0.05 4.16 83.20 3.96 79.20 0.45 9.00 88.6% yacr2 0.12 3.83 31.92 22.63 188.58 11.87 98.92 47.5% betaftpd 0.07 6.43 0.53 7.57 0.27 3.86 49.1% ghttpd 0.52 35.60 68.46 1.08 2.08 0.69 1.33 36.1% openssh 0.70 didn't work 1.00 1.43 0.91 1.30 9.0% thttpd 0.15 0.29 1.93 2.57 17.13 1.78 30.7%

9 Future Work Add phase(s) that attempt to detect bugs using static analysis. Certain types of bugs can use data flow analysis but need to prune false alarms. Develop static analysis phases that improve the quality of dynamic bug detection, not just the performance.

10 Questions

Download ppt "SUDS: An Infrastructure for Creating Bug Detection Tools"

Similar presentations

Static Analysis for Security

Static Analysis for Security
Course Outline Traditional Static Program Analysis Software Testing

Course Outline Traditional Static Program Analysis Software Testing
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)

Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)
Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.

Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.

Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
CIS 101: Computer Programming and Problem Solving Lecture 8 Usman Roshan Department of Computer Science NJIT.

CIS 101: Computer Programming and Problem Solving Lecture 8 Usman Roshan Department of Computer Science NJIT.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
Advanced Computer Architecture Lab University of Michigan 1 Efficient Dynamic Detection of Input-Related Security Faults Eric Larson Dissertation Defense.

Advanced Computer Architecture Lab University of Michigan 1 Efficient Dynamic Detection of Input-Related Security Faults Eric Larson Dissertation Defense.
Improving Network Applications Security: a New Heuristic to Generate Stress Testing Data Presented by Conrad Pack Del Grosso et al.

Improving Network Applications Security: a New Heuristic to Generate Stress Testing Data Presented by Conrad Pack Del Grosso et al.
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://
May 22, 2002OSQ Retreat 1 CCured: Taming C Pointers George Necula Scott McPeak Wes Weimer

May 22, 2002OSQ Retreat 1 CCured: Taming C Pointers George Necula Scott McPeak Wes Weimer
Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.

Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.
1.3 Executing Programs. How is Computer Code Transformed into an Executable? Interpreters Compilers Hybrid systems.

1.3 Executing Programs. How is Computer Code Transformed into an Executable? Interpreters Compilers Hybrid systems.

Similar presentations

Ads by Google